I'm using Microsoft SQL, btw. On Tue, Oct 27, 2009 at 10:32 AM, Jason King <[email protected]> wrote:
> The only thing that users can do to affect a query is change an ID value in > the URL.. None of my code relies on the queries being passed via a > URL string or anything like that. > > And I guess the cfqueryparam just checks to make sure the variable is what > it says it is. I just set it to match what the variable type should be, such > as integer, and if that fails, the query fails? > > -Jason > > On Tue, Oct 27, 2009 at 10:28 AM, Alan Williamson (aw1) <[email protected] > > wrote: > >> >> With respect to SQL injections and OpenBD ... you don't have to worry >> too much about it if you are using MYSQL. >> >> The CFQUERY implementation doesn't permit two statements to be executed >> in one block anyway, as the underlying driver validates the query first >> of all, and if it doesn't parse it won't get sent to the server. >> >> I tried to inject code myself, and found it near on impossible; but i >> could do it with a PHP page. This was a few years back i grant you. >> >> But the safest way you can do protect yourself, is to simply use >> <CFQUERYPARAM> and do NOT build up your query via string building. >> >> This simple little step pretty null'n'voids all injection attacks. >> >> >> >> > --~--~---------~--~----~------------~-------~--~----~ Open BlueDragon Public Mailing List http://groups.google.com/group/openbd?hl=en official site @ http://www.openbluedragon.org/ !! save a network - trim replies before posting !! -~----------~----~----~----~------~----~------~--~---
